Auth-Type Perl instead of Auth-Type EAP?
Alan DeKok
aland at deployingradius.com
Sat Feb 26 07:57:02 CET 2011
Josh Richard wrote:
> What I would like to do is have a WPA2 PEAP/MS_ChapV2 Cisco wireless
> SSID hook into the FR server above.
OK...
> The FR server currently is using rlm_perl to handle authentication and
Please, no. Authentication includes things like EAP. Doing EAP in
Perl is not a good idea.
> I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius
> to proxy the lookup to a different production FR server containing the
> set of all users. Neat.
Uh... that is an incredibly bad idea. FreeRADIUS already does
proxying. Why do it in Perl? You're going to get it wrong.
> When the SSID is wired in, we see this:
>
> [peap] Got inner identity 'jrichar4'
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> rlm_perl: Added pair User-Name = jrichar4
> rlm_perl: Added pair EAP-Message = 0x0206000c016d736865746b61
> rlm_perl: Added pair EAP-Type = Identity
> rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
> rlm_perl: Added pair Crypt-Password = *
> rlm_perl: Added pair Auth-Type = EAP
> rlm_perl: Added pair Proxy-To-Realm = LOCAL
> rlm_perl: Added pair EAP-Type = MS-CHAP-V2
>
> I would prefer the use Auth-Type = Perl in the EAP inner tunnel. Is
> this possible?
Yes. See raddb/sites-enabled/inner-tunnel
> Do I need to overload anything in eap.conf?
No.
But in general, this is a terrible idea. FreeRADIUS has proxying and
DB plugins. Redoing all of that in Perl is asking for un-needed complexity.
Alan DeKok.
More information about the Freeradius-Users
mailing list